Forensicswiki.org has moved to this site, forensicswiki.xyz. For information, please join the Google Group forensicswiki-reborn
The program "Forensic Assistant" was designed for computer forensic experts that work for state institutions and institutions performing expert examinations for fee. The program was developed by the designers that have a many years' experience in performing expert examinations and working in the field of computer security. This fact helped to make this program convenient for practical application.
The program is oriented to the practicing forensic experts who would like to perform correct forensic examinations.
The program helps to find and analyze important forensic information in the programs, logs and files as follows:
- instant messengers (ICQ, ICQ Lite, &RQ/R&Q, Trillian, QIP, QIP Infium, Miranda, VyPress Chat, Mail.ru Agent, Skype) - contact-lists and users' correspondence;
- message exchange logs (NetSpeakerPhone, Counter-Strike) - users' correspondence;
- bases of e-mail programs (Outlook, TheBat!) - deleted and explicit email messages;
- OS Windows index files (index.dat) - analysis of all file areas including LEAK blocks;
- OS Windows system logs (Event Logs) - information about flash memory cards that were connected to the computer and all connections to the Internet;
- OS Windows service files (*.pf, *. lnk, setupapi.log, rasphone.pbk) - addresses of the files that were opened, etc.;
- OS Windows registry files;
- Service files of browser programs (Internet Explorer, Opera, Firefox);
- Documents made in OLE2 format (including metadata extraction and description). "Forensic Assistant" is one of few programs subjected to low level analysis. This program is able to display real dates of file modifications.
The above said file formats (except Firefox and ICQ6) are subjected to the low level analysis and it helps to analyze and obtain available information even from damaged files. Adapted by a special method algorithms were used in the program, so it helps to reduce the time that is necessary for the process of examination.
- Creation file copies in accordance with a list of files. In this case a file path is preserved ("clean" list, "Kaspersky Antivirus" log, "AVSearch" log).
- Coding and decoding the information given in base64 (MIME) format.
- Decoding of files and file fragments that were coded by use of the operations DEC, ADD, XOR (for example, installation of malicious software).
- Bases containing several thousands of ICQ numbers with nicknames and types of activity indicated. Those ICQ numbers were used by Russian network frauders, carders, spammers, hackers, virusmakers and spreaders of malicious software.
- USB-device write blocker (for OS Windows XP SP2+/Vista).
- Utility "RegWalker" for operating on the inactive registry of the OS Windows including review of registry using read-only mode.
- Utility "Hash Sets" that is used for performing the operations as follows: hash bases making, file detection with those bases, file groups comparing (including a program and its distribution kit).
- Results are given in tables. Sorting in every field of a table and search of a text string (including the search carried out in accordance with a list) are available.
- Results may be exported to a text file (RTF) or an Excel file (CSV) (for this process desktop apps are not necessary to be installed in an expert's computer).
- To detect associates and criminal connections, all the message exchange program settings and contact lists of the program users may be automatically checked by use of an integrated ICQ numbers base.
- Information search and analysis also may be carried out in the archives of 14 formats.
- Detection of password protected archives and some files of cryptographic programs.
- Multilanguage interface (language files in the Russian and English languages are included into distribution kit).
- Preview of the found files as a text, hex-dump and a graphics file.
- Control of software modules integrity.
- Open interface for connecting software modules that were developed by other authors (for example by user's of the program).